Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pwtyapob.sys infection


  • This topic is locked This topic is locked
41 replies to this topic

#31 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 23 April 2010 - 03:35 PM


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/28/2006 2:49:14 PM
System Uptime: 4/23/2010 3:20:38 PM (0 hours ago)

Motherboard: Gateway | |
Processor: Genuine Intel® CPU U1400 @ 1.20GHz | U2E1 | 1197/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 58.332 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 2.728 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP322: 1/19/2010 9:07:22 PM - System Checkpoint
RP323: 1/20/2010 9:50:01 PM - System Checkpoint
RP324: 1/21/2010 10:17:06 PM - Software Distribution Service 3.0
RP325: 1/23/2010 1:33:51 PM - System Checkpoint
RP326: 1/25/2010 11:24:01 AM - System Checkpoint
RP327: 1/27/2010 9:06:08 AM - System Checkpoint
RP328: 1/28/2010 3:56:36 PM - System Checkpoint
RP329: 1/29/2010 5:58:24 PM - System Checkpoint
RP330: 2/4/2010 7:24:35 PM - System Checkpoint
RP331: 2/7/2010 11:27:38 AM - System Checkpoint
RP332: 2/9/2010 1:17:19 PM - System Checkpoint
RP333: 2/9/2010 5:44:31 PM - Software Distribution Service 3.0
RP334: 2/10/2010 8:21:05 PM - System Checkpoint
RP335: 2/15/2010 1:03:33 PM - System Checkpoint
RP336: 2/16/2010 1:36:01 PM - System Checkpoint
RP337: 2/17/2010 7:51:49 PM - System Checkpoint
RP338: 2/19/2010 5:43:09 PM - System Checkpoint
RP339: 2/20/2010 6:40:37 PM - System Checkpoint
RP340: 2/22/2010 7:57:27 PM - System Checkpoint
RP341: 2/24/2010 9:27:34 PM - Software Distribution Service 3.0
RP342: 2/27/2010 6:00:59 PM - System Checkpoint
RP343: 2/28/2010 6:56:58 PM - System Checkpoint
RP344: 3/1/2010 6:52:41 PM - Removed Adobe Reader 8.1.2
RP345: 3/1/2010 6:53:16 PM - Installed Adobe Reader 9.3.
RP346: 3/4/2010 6:36:11 PM - System Checkpoint
RP347: 3/5/2010 7:55:57 PM - System Checkpoint
RP348: 3/7/2010 8:10:30 PM - System Checkpoint
RP349: 4/3/2010 11:41:59 PM - avast! Free Antivirus Setup
RP350: 4/4/2010 9:35:06 AM - Software Distribution Service 3.0
RP351: 4/4/2010 4:55:32 PM - Restore Operation
RP352: 4/5/2010 1:24:00 PM - Installed SUPERAntiSpyware Free Edition
RP353: 4/14/2010 3:06:30 PM - System Checkpoint
RP354: 4/15/2010 11:07:06 AM - Software Distribution Service 3.0
RP355: 4/16/2010 12:49:59 PM - System Checkpoint
RP356: 4/16/2010 5:21:07 PM - Removed Java 2 Runtime Environment, SE v1.4.2
RP357: 4/16/2010 5:25:28 PM - Installed Java™ 6 Update 20
RP358: 4/17/2010 5:57:23 PM - System Checkpoint
RP359: 4/18/2010 12:10:52 PM - Agnitum Outpost Firewall Restore Point: install
RP360: 4/18/2010 5:38:51 PM - avast! Free Antivirus Setup
RP361: 4/18/2010 6:55:23 PM - avast! Free Antivirus Setup
RP362: 4/18/2010 7:05:22 PM - avast! Free Antivirus Setup
RP363: 4/18/2010 7:06:03 PM - avast! Free Antivirus Setup
RP364: 4/18/2010 7:12:30 PM - avast! Free Antivirus Setup
RP365: 4/18/2010 7:12:55 PM - avast! Free Antivirus Setup
RP366: 4/18/2010 7:48:47 PM - Installed AVG Free 9.0
RP367: 4/23/2010 11:40:11 AM - System Checkpoint

==== Installed Programs ======================

1400
1400_Help
1400Trb
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 9.3
Adobe Shockwave Player 11
Adobe® Photoshop® Album Starter Edition 3.2
Agere Systems HDA Modem
AiO_Scan
AiOSoftware
Avira AntiVir Personal - Free Antivirus
Browser Address Error Redirector
BufferChm
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
Digital Photo Navigator 1.5
DocProc
ESET Online Scanner v3
eSupportQFolder
Fax
Google Toolbar for Internet Explorer
Google Update Helper
gtw_logo
GWCares
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP Product Assistant
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
HPProductAssistant
Intel Matrix Storage Manager
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
Java Auto Updater
Java™ 6 Update 20
Malwarebytes' Anti-Malware
MarketResearch
mCore
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWlsSafe
mXML
mZConfig
Napster
Napster Burn Engine
NewCopy
Outpost Firewall 2009
PL-2303 USB-to-Serial
Power2Go 4.0
PowerDVD
ProductContext
QuickTime
Readme
RealPlayer Basic
Recovery Software Suite Gateway
Revo Uninstaller 1.87
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SigmaTel Audio
SolutionCenter
Status
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
The Weather Channel Desktop 6
TIPCI
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
WebReg
WIDCOMM Bluetooth Software
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinPhlash
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer

==== Event Viewer Messages From Past Week ========

4/23/2010 11:04:08 AM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for ImagePath with the following error: Access is denied.
4/23/2010 10:40:32 AM, error: Service Control Manager [7000] - The SASENUM service failed to start due to the following error: Access is denied.
4/23/2010 10:40:24 AM, error: Service Control Manager [7000] - The ArHotKey service failed to start due to the following error: Access is denied.
4/23/2010 10:40:21 AM, error: Service Control Manager [7001] - The SSDP Discovery Service service depends on the HTTP service which failed to start because of the following error: Access is denied.
4/23/2010 10:40:21 AM, error: Service Control Manager [7000] - The HTTP service failed to start due to the following error: Access is denied.
4/16/2010 9:04:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 atapi cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x PCIIde perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
4/16/2010 9:04:15 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

==== End Of File ===========================

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 15:28:17.75 on Fri 04/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.655 [GMT -5:00]

FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=NX100X
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Power2GoExpress] NA
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; IEMB3; IEMB3)" -"http://media.pearsoncmg.com/aw/bc_marieb_humananphy_5/hap_place_media/chapter28/medialib/learning/ch28ae1.html"
mRun: [Gateway Extended Warranty] "c:\program files\gateway\gwcares\GWCares.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [arima hotkey] c:\program files\arima hotkey\arima_hotkey.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump:os_startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2010-4-18 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2010-4-18 1195008]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2010-4-18 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2010-4-18 257432]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 ArHotKey;ArHotKey;c:\windows\system32\drivers\ArHotKey.SYS [2006-9-25 5632]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-04-23 17:41:13 0 d-----w- c:\docume~1\admini~1\applic~1\Avira
2010-04-23 16:03:54 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-23 16:03:53 0 d-----w- c:\program files\Avira
2010-04-23 16:03:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-04-23 15:56:00 0 d-----w- C:\08b683f8c761d6d96a
2010-04-23 15:45:07 0 d-----w- C:\cc9548f02a16c078ccff2100b5
2010-04-19 14:22:40 0 d-----w- c:\program files\VS Revo Group
2010-04-18 19:33:47 0 d-----w- C:\uninstall.exe
2010-04-18 17:12:30 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2010-04-18 17:12:22 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2010-04-18 17:10:59 49 ----a-w- c:\windows\transp.gif
2010-04-18 17:10:56 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2010-04-18 17:10:46 0 d-----w- c:\program files\Agnitum
2010-04-18 17:09:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Agnitum
2010-04-17 17:04:17 0 d-----w- c:\program files\ESET
2010-04-16 22:25:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-16 22:25:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-16 20:20:15 0 d-sha-r- C:\cmdcons
2010-04-16 20:18:51 77312 ----a-w- c:\windows\MBR.exe
2010-04-16 20:18:51 261632 ----a-w- c:\windows\PEV.exe
2010-04-16 18:44:32 0 d-----w- c:\windows\system32\appmgmt
2010-04-16 17:19:33 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-04-05 18:24:18 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-05 18:24:00 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 18:24:00 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-04-05 18:23:15 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-04 16:46:39 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-04-04 16:46:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 16:46:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-04 16:46:10 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 16:46:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 04:41:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-04 04:00:18 0 d-----w- c:\docume~1\admini~1\applic~1\Helper

==================== Find3M ====================

2010-04-16 20:24:05 578560 ----a-w- c:\windows\system32\user32.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 22:08:23 28846 ----a-w- c:\docume~1\admini~1\applic~1\wklnhst.dat
2010-02-17 14:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2008-09-23 23:35:07 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092320080924\index.dat

============= FINISH: 15:29:06.65 ===============


BC AdBot (Login to Remove)

 


#32 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:56 AM

Posted 23 April 2010 - 03:59 PM

Could you please download a new copy of combofix, run it and post me the log?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#33 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 23 April 2010 - 05:32 PM

I'm getting an error prompt.
says "you can not rename Combofix as Combofix[1]
please use another name, preferably made up of alphanumeric characters....
when I click the ok button, it goes away leaving me no options.

I re tried again and hit save instead of run.
it's running...
...now it's not...windows is shutting down....
I feel like I'm in quick sand

Edited by jigglestick, 23 April 2010 - 05:36 PM.


#34 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 23 April 2010 - 05:43 PM

I'm running the combofix in safe mode. is that ok?

my outpost firewall kept spitting out pop ups something about creating rules '?? allow or block?
I dunno...it's auto scanning in safe mode anyway...

#35 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 23 April 2010 - 06:02 PM

ComboFix 10-04-21.01 - Administrator 04/23/2010 17:41:35.7.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.810 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((( Files Created from 2010-03-23 to 2010-04-23 )))))))))))))))))))))))))))))))
.

2010-04-23 17:41 . 2010-04-23 17:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2010-04-23 16:03 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-23 16:03 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-23 16:03 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-23 16:03 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-23 16:03 . 2010-04-23 16:03 -------- d-----w- c:\program files\Avira
2010-04-23 16:03 . 2010-04-23 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-23 15:56 . 2010-04-23 16:05 -------- d-----w- C:\08b683f8c761d6d96a
2010-04-23 15:45 . 2010-04-23 15:50 -------- d-----w- C:\cc9548f02a16c078ccff2100b5
2010-04-19 14:22 . 2010-04-19 14:22 -------- d-----w- c:\program files\VS Revo Group
2010-04-19 00:05 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-19 00:05 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-19 00:05 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-19 00:05 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-18 19:33 . 2010-04-18 19:35 -------- d-----w- C:\uninstall.exe
2010-04-18 17:12 . 2009-04-06 16:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2010-04-18 17:12 . 2009-02-10 21:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2010-04-18 17:10 . 2009-02-18 22:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2010-04-18 17:10 . 2010-04-18 17:10 -------- d-----w- c:\program files\Agnitum
2010-04-18 17:09 . 2010-04-18 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2010-04-17 17:04 . 2010-04-17 17:04 -------- d-----w- c:\program files\ESET
2010-04-16 22:26 . 2010-04-16 22:26 -------- d-----w- c:\program files\Common Files\Java
2010-04-16 22:26 . 2010-04-16 22:26 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6bef276b-n\msvcp71.dll
2010-04-16 22:26 . 2010-04-16 22:26 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6bef276b-n\jmc.dll
2010-04-16 22:26 . 2010-04-16 22:26 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6bef276b-n\msvcr71.dll
2010-04-16 22:26 . 2010-04-16 22:26 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6a0e2e48-n\decora-sse.dll
2010-04-16 22:26 . 2010-04-16 22:26 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6a0e2e48-n\decora-d3d.dll
2010-04-16 22:25 . 2010-04-16 22:25 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-05 18:24 . 2010-04-05 18:24 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-05 18:24 . 2010-04-05 18:24 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-05 18:24 . 2010-04-05 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-05 18:24 . 2010-04-05 18:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 18:24 . 2010-04-05 18:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-05 18:23 . 2010-04-05 18:23 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-04 16:46 . 2010-04-04 16:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-04 16:46 . 2010-03-29 20:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 16:46 . 2010-04-04 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-04 16:46 . 2010-04-04 21:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 16:46 . 2010-03-29 20:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 04:41 . 2010-04-19 00:12 -------- d-----w- c:\program files\Alwil Software
2010-04-04 04:41 . 2010-04-19 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-04 04:00 . 2010-04-04 04:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Helper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-23 16:15 . 2007-01-06 20:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-23 16:13 . 2010-01-02 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-19 00:54 . 2006-09-28 23:28 31384 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-16 22:25 . 2006-09-25 21:29 -------- d-----w- c:\program files\Java
2010-04-16 20:24 . 2006-06-01 03:17 578560 ----a-w- c:\windows\system32\user32.dll
2010-04-04 22:00 . 2009-01-16 06:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-04 22:00 . 2009-01-16 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-10 06:15 . 2006-06-01 03:17 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 01:25 . 2009-08-05 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-02 00:54 . 2006-09-25 21:45 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-02 00:50 . 2010-03-02 00:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-02 00:50 . 2010-03-02 00:51 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-02 00:49 . 2010-03-02 00:49 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-25 06:24 . 2006-06-01 03:17 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-06-01 03:16 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 22:08 . 2007-12-18 02:48 28846 ----a-w- c:\documents and settings\Administrator\Application Data\wklnhst.dat
2010-02-17 14:10 . 2006-06-01 03:16 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-06-01 03:16 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-06-01 03:17 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-17 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 737370]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88204]
"arima hotkey"="c:\program files\Arima Hotkey\arima_hotkey.exe" [2006-04-28 753664]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-25 98304]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [4/18/2010 12:12 PM 704384]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [4/18/2010 12:10 PM 1195008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 10:25 PM 135664]
S3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [4/18/2010 12:10 PM 31128]
S3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [4/18/2010 12:12 PM 257432]
S3 ArHotKey;ArHotKey;c:\windows\system32\drivers\ArHotKey.SYS [9/25/2006 4:51 PM 5632]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 03:25]

2010-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 03:25]

2006-09-28 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=NX100X
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-23 17:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1519457148-2354007888-860844326-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,08,6e,18,1a,96,5c,44,4d,83,e4,84,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,08,6e,18,1a,96,5c,44,4d,83,e4,84,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(248)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1088)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-04-23 17:49:09
ComboFix-quarantined-files.txt 2010-04-23 22:48

Pre-Run: 63,876,984,832 bytes free
Post-Run: 64,200,318,976 bytes free

- - End Of File - - E64FC4E690A92A6343A031F5AFC0F2C8


#36 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:56 AM

Posted 24 April 2010 - 02:27 AM

Hi again,

Avira doesn't look like running also, although it looks installed.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
RegLock::
[HKEY_USERS\S-1-5-21-1519457148-2354007888-860844326-500\Software\Microsoft\Internet Explorer\User Preferences]

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Since Outpost was the only program that preceded all those problems, please try to uninstall it and after that see if you still have problems (try to uninstall Avira and reinstall).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#37 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 24 April 2010 - 08:19 AM

ComboFix 10-04-21.01 - Administrator 04/24/2010 8:07.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.665 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-03-24 to 2010-04-24 )))))))))))))))))))))))))))))))
.

2010-04-23 17:41 . 2010-04-23 17:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2010-04-23 16:03 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-23 16:03 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-23 16:03 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-23 16:03 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-23 16:03 . 2010-04-23 16:03 -------- d-----w- c:\program files\Avira
2010-04-23 16:03 . 2010-04-23 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-23 15:56 . 2010-04-23 16:05 -------- d-----w- C:\08b683f8c761d6d96a
2010-04-23 15:45 . 2010-04-23 15:50 -------- d-----w- C:\cc9548f02a16c078ccff2100b5
2010-04-19 14:22 . 2010-04-19 14:22 -------- d-----w- c:\program files\VS Revo Group
2010-04-19 00:05 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-19 00:05 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-19 00:05 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-19 00:05 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-18 19:33 . 2010-04-18 19:35 -------- d-----w- C:\uninstall.exe
2010-04-17 17:04 . 2010-04-17 17:04 -------- d-----w- c:\program files\ESET
2010-04-16 22:26 . 2010-04-16 22:26 -------- d-----w- c:\program files\Common Files\Java
2010-04-16 22:26 . 2010-04-16 22:26 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6bef276b-n\msvcp71.dll
2010-04-16 22:26 . 2010-04-16 22:26 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6bef276b-n\jmc.dll
2010-04-16 22:26 . 2010-04-16 22:26 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6bef276b-n\msvcr71.dll
2010-04-16 22:26 . 2010-04-16 22:26 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6a0e2e48-n\decora-sse.dll
2010-04-16 22:26 . 2010-04-16 22:26 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6a0e2e48-n\decora-d3d.dll
2010-04-16 22:25 . 2010-04-16 22:25 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-05 18:24 . 2010-04-05 18:24 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-05 18:24 . 2010-04-05 18:24 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-05 18:24 . 2010-04-05 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-05 18:24 . 2010-04-05 18:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 18:24 . 2010-04-05 18:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-05 18:23 . 2010-04-05 18:23 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-04 16:46 . 2010-04-04 16:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-04 16:46 . 2010-03-29 20:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 16:46 . 2010-04-04 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-04 16:46 . 2010-04-04 21:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 16:46 . 2010-03-29 20:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 04:41 . 2010-04-19 00:12 -------- d-----w- c:\program files\Alwil Software
2010-04-04 04:41 . 2010-04-19 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-04 04:00 . 2010-04-04 04:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Helper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-23 16:15 . 2007-01-06 20:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-23 16:13 . 2010-01-02 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-19 00:54 . 2006-09-28 23:28 31384 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-16 22:25 . 2006-09-25 21:29 -------- d-----w- c:\program files\Java
2010-04-16 20:24 . 2006-06-01 03:17 578560 ----a-w- c:\windows\system32\user32.dll
2010-04-04 22:00 . 2009-01-16 06:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-04 22:00 . 2009-01-16 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-10 06:15 . 2006-06-01 03:17 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 01:25 . 2009-08-05 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-02 00:54 . 2006-09-25 21:45 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-02 00:50 . 2010-03-02 00:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-02 00:50 . 2010-03-02 00:51 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-02 00:49 . 2010-03-02 00:49 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-25 06:24 . 2006-06-01 03:17 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-06-01 03:16 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 22:08 . 2007-12-18 02:48 28846 ----a-w- c:\documents and settings\Administrator\Application Data\wklnhst.dat
2010-02-17 14:10 . 2006-06-01 03:16 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-06-01 03:16 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-06-01 03:17 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-04-23_22.46.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-24 13:00 . 2010-04-24 13:00 16384 c:\windows\temp\Perflib_Perfdata_7cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-17 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 737370]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88204]
"arima hotkey"="c:\program files\Arima Hotkey\arima_hotkey.exe" [2006-04-28 753664]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-25 98304]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R3 ArHotKey;ArHotKey;c:\windows\system32\drivers\ArHotKey.SYS [9/25/2006 4:51 PM 5632]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 10:25 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 03:25]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 03:25]

2006-09-28 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=NX100X
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-24 08:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3164)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-04-24 08:14:57
ComboFix-quarantined-files.txt 2010-04-24 13:14
ComboFix2.txt 2010-04-23 22:49

Pre-Run: 63,098,486,784 bytes free
Post-Run: 63,076,216,832 bytes free

- - End Of File - - 68751A2C0A2E2222F2E5C6129DCE4479

#38 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:56 AM

Posted 24 April 2010 - 09:07 AM

Can you try to install an AV now (its up to you which one).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#39 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 24 April 2010 - 09:12 AM

I removed avira. removed outpost, then enabled windows firewall.
after running the CFScript, and posting the log, I reinstalled the avast. it downloaded successfully, but gave me a bit of trouble that may very well have been user error??
anyway I re-uninstalled avast, and re-downloaded avira, without a hitch.
it is running right now and has performed a scan.
it seems to be running fine.
I am way ahead of the game right now because I couldn't even get the anti virus programs to install before. what ever was causing the error while installing them is not there any more.

I think as you said, it might have been the outpost firewall.

you look over the CFScript and let me know what you think please?
maybe I am good to go??

#40 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:56 AM

Posted 24 April 2010 - 10:08 AM

Yes, the CF log looked good. Its indeed possible Outpost caused all this trouble. I'd say, if everything works fine, just go without a software firewall; its not worth the trouble its causing.

Please let me know if there are any other issues or if this can be reclosed.

You can uninstall Combofix as before.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#41 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 24 April 2010 - 10:28 AM

once again, I thank you for the help.

combofix is uninstalled without a hitch.
the windows firewall is running and the avira is running.

I will now turn this computer back over to my bride.
see how long it takes her to ball it up again...

close this thread

#42 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:56 AM

Posted 24 April 2010 - 11:26 AM

Good luck with it smile.gif

This topic is now closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users